Typo3 Cms-Core vulnerabilities
98 known vulnerabilities affecting typo3/cms-core.
Total CVEs
98
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH26MEDIUM64LOW8
Vulnerabilities
Page 2 of 5
CVE-2022-23500P3HIGHCVSS 7.5≥ 9.0.0, < 9.5.38≥ 10.0.0, < 10.4.33+1 more2022-12-13
CVE-2022-23500 [HIGH] CWE-405 TYPO3 CMS vulnerable to Denial of Service in Page Error Handling
TYPO3 CMS vulnerable to Denial of Service in Page Error Handling
### Problem
Requesting invalid or non-existing resources via HTTP triggers the page error handler, which again could retrieve content to be shown as an error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web
ghsaosv
CVE-2021-21339P3MEDIUM≥ 6.2.0, < 6.2.57≥ 7.0.0, < 7.6.51+4 more2021-03-23
CVE-2021-21339 [MEDIUM] CWE-312 Cleartext storage of session identifier
Cleartext storage of session identifier
### Problem
User session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system.
### Solution
Update to TYPO3 versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 t
ghsaosv
CVE-2021-41113P3HIGHCVSS 8.8≥ 11.2.0, < 11.5.02021-10-05
CVE-2021-41113 [HIGH] CWE-309 Cross-Site-Request-Forgery in Backend
Cross-Site-Request-Forgery in Backend
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C` (8.2)
### Problem
It has been discovered that the new TYPO3 v11 feature that allows users to create and share [deep links in the backend user interface](https://typo3.org/article/typo3-version-112-escape-the-orbit#c12178) is vulnerable to cross-site-request-forgery.
The impact is the same as described in [TY
ghsaosv
CVE-2021-21359P3MEDIUM≥ 10.0.0, < 10.4.14≥ 11.0.0, < 11.1.1+1 more2021-03-23
CVE-2021-21359 [MEDIUM] CWE-405 Denial of Service in Page Error Handling
Denial of Service in Page Error Handling
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C` (5.5)
> * CWE-405, CWE-674
> * Status: **DRAFT**
### Problem
Requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as error message from another page. This leads to a scenario in which the application is calling itself recu
ghsaosv
CVE-2020-26228P3HIGH≥ 9.0.0, < 9.5.23≥ 10.0.0, < 10.4.10+1 more2020-11-23
CVE-2020-26228 [HIGH] CWE-312 Cleartext storage of session identifier
Cleartext storage of session identifier
User session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system.
### Solution
Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described.
### Credits
ghsaosv
CVE-2024-25121P3HIGH≥ 8.0.0, < 8.7.57≥ 9.0.0, < 9.5.46+4 more2024-02-13
CVE-2024-25121 [HIGH] CWE-200 TYPO3 vulnerable to Improper Access Control Persisting File Abstraction Layer Entities via Data Handler
TYPO3 vulnerable to Improper Access Control Persisting File Abstraction Layer Entities via Data Handler
### Problem
Entities of the File Abstraction Layer (FAL) could be persisted directly via `DataHandler`. This allowed attackers to reference files in the fallback storage directly and retrieve their file names and contents. The fallback storage ("zero-storage")
ghsaosv
CVE-2026-49742P3HIGH≥ 11.0.0, < 11.5.51≥ 12.0.0, < 12.4.46+2 more2026-06-12
CVE-2026-49742 [HIGH] CWE-200 TYPO3 CMS has Broken Access Control in its Media Module
TYPO3 CMS has Broken Access Control in its Media Module
### Problem
Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files.
### Solution
Update to TYPO3 versions 11.5.51 ELTS,
ghsa
CVE-2022-31050P3MEDIUM≥ 9.0.0, < 9.5.35≥ 10.0.0, < 10.4.29+1 more2022-06-17
CVE-2022-31050 [MEDIUM] CWE-613 Insufficient Session Expiration in TYPO3's Admin Tool
Insufficient Session Expiration in TYPO3's Admin Tool
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L/E:F/RL:O/RC:C` (5.6)
### Problem
Admin Tool sessions initiated via the TYPO3 backend user interface have not been revoked even if the corresponding user account was degraded to lower permissions or disabled completely. This way, sessions in the admin tool theoretically could have been prolo
ghsaosv
CVE-2019-10912P3HIGH≥ 9.0.0, < 9.5.82020-02-12
CVE-2019-10912 [HIGH] CWE-502 Deserialization of untrusted data in Symfony
Deserialization of untrusted data in Symfony
In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.
ghsaosv
CVE-2019-19848P3MEDIUM≥ 10.0.0, < 10.2.2≥ 8.0.0, < 8.7.30+1 more2022-05-24
CVE-2019-19848 [MEDIUM] CWE-22 TYPO3 Directory Traversal on ZIP extraction
TYPO3 Directory Traversal on ZIP extraction
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit this vulnerability. (In v9 LTS and later, System Maintainer privileges are also required.)
ghsaosv
CVE-2019-19850P3MEDIUM≥ 8.0, < 8.7.30≥ 9.0, < 9.5.12+1 more2022-05-24
CVE-2019-19850 [MEDIUM] TYPO3 SQL Injection in low-level Query Generator
TYPO3 SQL Injection in low-level Query Generator
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension ext:lowlevel installed, and a valid backend user who has administrator privileges.
ghsaosv
CVE-2020-11069P3HIGH≥ 9.0.0, < 9.5.17≥ 10.0.0, < 10.4.22020-05-13
CVE-2020-11069 [HIGH] CWE-346 Backend Same-Site Request Forgery in TYPO3 CMS
Backend Same-Site Request Forgery in TYPO3 CMS
> ### Meta
> * CVSS v3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
> * CWE-352
> * CWE-346
### Problem
It has been discovered that backend user interface and install tool are vulnerable to same-origin request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server - scripts are t
ghsaosv
CVE-2024-25118P3MEDIUM≥ 8.0.0, < 8.7.57≥ 9.0.0, < 9.5.46+4 more2024-02-13
CVE-2024-25118 [MEDIUM] CWE-200 TYPO3 Backend Forms vulnerable to Information Disclosure of Hashed Passwords
TYPO3 Backend Forms vulnerable to Information Disclosure of Hashed Passwords
### Problem
Password hashes were being reflected in the editing forms of the TYPO3 backend user interface. This allowed attackers to crack the plaintext password using brute force techniques. Exploiting this vulnerability requires a valid backend user account.
### Solution
Update to TYPO3 versions 8.7.57 ELTS,
ghsaosv
CVE-2022-23501P3MEDIUM≥ 0, < 8.7.49≥ 9.0.0, < 9.5.38+3 more2022-12-13
CVE-2022-23501 [MEDIUM] CWE-287 TYPO3 CMS vulnerable to Weak Authentication in Frontend Login
TYPO3 CMS vulnerable to Weak Authentication in Frontend Login
### Problem
Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary.
### Solution
Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS,
ghsaosv
CVE-2008-2717P3MEDIUM≥ 4.0.0, < 4.0.9≥ 4.1.0, < 4.1.7+1 more2022-05-01
CVE-2008-2717 [MEDIUM] CWE-434 TYPO3 Unrestricted File Upload vulnerability
TYPO3 Unrestricted File Upload vulnerability
TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, uses an insufficiently restrictive default fileDenyPattern for Apache, which allows remote attackers to bypass security restrictions and upload configuration files such as .htaccess, or conduct file upload attacks using multiple extensions.
ghsaosv
CVE-2021-32767P3MEDIUM≥ 7.0.0, < 7.6.52≥ 8.0.0, < 8.7.41+3 more2021-07-26
CVE-2021-32767 [MEDIUM] CWE-532 Information Disclosure in User Authentication
Information Disclosure in User Authentication
> ### Meta
> * CVSS: `AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C` (4.9)
### Problem
It has been discovered that user credentials have been logged as plaintext when explicitly using log level debug, which is not the _default_ configuration.
### Solution
Update to TYPO3 versions 7.6.52 ELTS, 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described.
### C
ghsaosv
CVE-2022-31047P3MEDIUM≥ 7.0.0, < 7.6.57≥ 8.0.0, < 8.7.47+3 more2022-06-17
CVE-2022-31047 [MEDIUM] CWE-209 Insertion of Sensitive Information into Log File in typo3/cms-core
Insertion of Sensitive Information into Log File in typo3/cms-core
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C` (4.9)
### Problem
It has been discovered that system internal credentials or keys (e.g. database credentials) have been logged as plaintext in exception handlers, when logging the complete exception stack trace.
### Solution
Update to TYPO3 versions
ghsaosv
CVE-2026-49740P3MEDIUM≥ 0, < 10.4.57≥ 11.0.0, < 11.5.51+3 more2026-06-12
CVE-2026-49740 [MEDIUM] CWE-502 TYPO3 CMS has Insecure Deserialization via Core API
TYPO3 CMS has Insecure Deserialization via Core API
### Problem
TYPO3's cache frontend (`VariableFrontend`) and persistent key-value store (`Registry`) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend (cache store or sys_registry database table) could inject a crafted serialized payload to trigger PHP Object Injection, p
ghsa
CVE-2026-47352P3MEDIUM≥ 0, < 10.4.57≥ 11.0.0, < 11.5.51+3 more2026-06-12
CVE-2026-47352 [MEDIUM] CWE-862 TYPO3 CMS has Broken Access Control in Backend API
TYPO3 CMS has Broken Access Control in Backend API
### Problem
Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission checks, allowing access to files outside their permitted file mounts or storages.
### Solution
Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described.
### Credits
ghsa
CVE-2026-47349P3MEDIUM≥ 0, < 10.4.57≥ 11.0.0, < 11.5.51+3 more2026-06-12
CVE-2026-47349 [MEDIUM] CWE-862 TYPO3 CMS has Broken Access Control in the Recycler Module
TYPO3 CMS has Broken Access Control in the Recycler Module
### Problem
Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were not authorized to modify.
### Solution
Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described.
### Credits
TYPO3 CMS thanks Hyunseo Shin for rep
ghsa